Re: LsaRemoveAccountRights

From: John Burkhardt (john.burkhardt_at_earthlink.net)
Date: 04/18/04

  • Next message: Vishal Agarwal[MSFT]: "Re: S/MIME with SubjectAltName email attributes"
    Date: Sat, 17 Apr 2004 19:45:52 -0400
    
    

    On 4/17/04 2:17 AM, in article eFRpZOEJEHA.3500@TK2MSFTNGP10.phx.gbl, "Amit
    Rahul [MS]" <arahul@online.microsoft.com> wrote:

    > One addendum to the example below, it should be
    > lpright = SE_INTERACTIVE_LOGON_NAME to be used with LsaRemoveAccountRights
    > rather than SE_DENY_INTERACTIVE_LOGON_NAME. It was a typo. :-(
    >

    Thanks for your help.

    After creating an account, it was those APIs (LsaEnumerateAccountRights etc)
    were always returning that the account was not found until I called
    LsaCreateAccount with the account SID. This LsaCreateAccount function was
    not documented though, but it did the trick. And it was listed in that KB
    article in my previous post. So its listed in the sample as the way to do
    it (LsaOpenAccount & LsaCreateAccount) but not in the public header file.

    I was opening the LsaOpenPolicy handle correctly and getting back a valid
    handle. It it didn't seem to be a question of access rights. Just that
    somehow the account was not known by the Local Security Authority until I
    called LsaCreateAccount.

    Further, when I added my account to the list of those to be denied
    interactive login with the account management UI, then my code worked, ie.
    LsaEnumerateAccountRights started working.

    So I'm not sure what is going on exactly, since I got this to work with
    undocumented code.

    If you would like a small sample that demonstrates this behavior let me
    know.

    -John


  • Next message: Vishal Agarwal[MSFT]: "Re: S/MIME with SubjectAltName email attributes"